On Sun, 2010-06-06 at 20:31 -0500, Skip Evans wrote:

> Hey all,
> I'm familiar with setting cookies in PHP and using REMOTE_ADDR
> to get a visitor's IP address (or that of their gateway), but
> not quite sure how to implement a robust mechanism that would
> limit a user to logging in from only two different machines, a
> requirement this client has on the project.
> I'd greatly appreciate hearing from people who have done this
> or something similar, or suggestions people might have that
> would give that oh so familiar, "D'oh!" moment.
> I have some ideas sketched out, setting cookies, etc, but not
> sure how robust they'd be.
> Big Thanks!
> Skip
> -- 
> ====================================
> Skip Evans
> PenguinSites.com, LLC
> 503 S Baldwin St, #1
> Madison WI 53703
> 608.250.2720
> http://penguinsites.com
> ------------------------------------
> Those of you who believe in
> telekinesis, raise my hand.
>   -- Kurt Vonnegut

Is this two machines at the same time, or two machines ever?

I don't think there's any way you can guarantee either, unless you
supply them with some form of closed binary that they are forced to use
either instead of or with the browser, i.e. a Java applet, etc.

A similar question to this came up on the list not so long ago, and
there was no real conclusion at the end other than it can't really be
done. Cookies can be deleted, IP addresses change all the time (either
deliberately, by some proxy or even by the ISP itself issuing a dynamic
IP address), even the MAC address (if you found a way to get at it) can

About the only thing I've seen that might help was a device made for the
Bloomberg stock market system, which was a small credit-card sized
object which would read in a random pattern of flashes from the screen
and produce a unique ID number which was then keyed back into the
system. By relying on a physical dongle you can pretty much guarantee
that a user is only on one system, but the project obviously becomes
much more costly and complicated.

If you do go the cookie route, maybe gather a bunch of information to
store on the server against that cookie and the user. If the cookie is
not detected the next time the user goes to log in, maybe force them to
send an email requiring a manual unlock, and make them give a reason for
either why the cookie was removed, or why the computer information has
changed beyond the two computer profiles you've got stored for them.
It's not foolproof, but might show your client why this isn't something
that can be easily done, and is not something that should be decided on
lightly, as there are many valid and genuine reasons why somebody might
want to use more than two computers (i.e. they had a fire and lost those
computers, they rebuilt a computer with a new OS, they upgraded the
computer, a computer was stolen and needed to be replaced, they are away
from their computer and had to use a public access one, etc. The list
can go on and on.)


Reply via email to